Logs & Monitor

This chapter shows you how configure rules to create logs for specified conditions. You can use the powerful Logs & Monitor features in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to see logs and to monitor the effectiveness of QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. Policies.

Overview of Logging

These events are logged. The table below describes features unique to event logs.

Non-Accounting Log Events

Log Event	Data Returned	Presentation	Policy Mode
Connection Reject
QoS rejects a connection when the number of guaranteed connections is exceeded and/or when you have configured the system not to accept additional connections.	The name of the matching rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. on account of which the connection was rejected.	Generated as a reject log. Unified with the initial connection log.	Recommended policy only.
Running Out of Packet Buffers
One of the interface-direction's packet buffers is exhausted. A report is generated a maximum of once per 12 hours.	A string explaining the nature of the problem and the size of the relevant pool.	New log record created each time a global problem is reported.	Recommended policy only.
LLQ Low Latency Queuing is a feature developed by Cisco to bring strict priority queuing (PQ) to class-based weighted fair queuing (CBWFQ). LLQ allows delay-sensitive data (such as voice) to be given preferential treatment over other traffic by letting the data to be dequeued and sent first. Packet Drop
When a packet is dropped from an LLQ connection. A report is generated a maximum of once per 5 minutes.	Logged data: Number of bytes dropped due to delay expiration Average packet delay Jitter Variation in the delay of received packets. On the sending side, packets are spaced evenly apart and sent in a continuous stream. On the receiving side, the delay between each packet can vary according to network congestion, improper queuing or configuration errors. (maximum delay difference between two consecutive packets)	Unified with the initial connection log.	Recommended policy only.

The next table describes the features unique to accounting logs.

Explaining the Accounting Log

Logged	Data Returned	Policy Mode
General Statistics
The total bytes transmitted through QoS for each relevant interface and direction.	Inbound and outbound bytes transmitted by QoS.	Recommended and Express policies.
Drop Policy Statistics
Total bytes dropped from the connection as a result of the QoS policy. Count of the bytes dropped from the connection because the maximum used memory fragments for a single connection was exceeded.		Recommended policy mode only.
LLQ Statistics
Statistics about the LLQ connection.	Logged data: Number of bytes dropped due to delay expiration Average packet delay Jitter (maximum delay difference between two consecutive packets)	Recommended policy mode only.

These conditions must be met for a connection to be logged:

The QoS logging checkbox must be selected in the Gateway Properties - Additional Logging Configuration window. (By default this is automatically selected.)
The connection's matching rule must be marked with either Log or Account in the Track field of the rule. See Confirming a Rule is logged andTo Modify Tracking for a Rule .

Examples of Log Events

This section describes the log events.

Connection Reject Log

The connection is rejected because the rule exceeds the number of guaranteed connections, where Accept additional non-guaranteed connections is unchecked in the QoS Action Properties window (see QoS Action Properties ). The log will include the name as well as the class of the rule in the following format: rule_name: <class> <name>.

In the following example, the rule belongs to the class Best_Effort. The name of the rule (rule_name) is udp2.

Connection Reject Log - Example

Time	Product	Interface	Type	Action	Information
15:17:09	QoS	daemon	log	reject	rule_name:Best_Effort->udp2

LLQ Drop Log

When a packet from the LLQ connection is dropped, LLQ information is computed and logged from the last time a log was generated. This information includes significant data logged from the relevant interface-direction. In the following example, the information logged includes:

s_in_llq_drops: The number of bytes dropped from the connection on the Server-In interface direction.
s_in_llq_avg_xmit_delay: The average delay computed for all the connection's packets that were not dropped on the Server-In interface direction.
s_in_llq_max_delay: The maximum delay of a connection packet that was not dropped on the Server-In interface direction.
s_in_llq_xmit_jitter: The maximum delay difference between two consecutive successfully transmitted packets of the connection on the Server-In interface direction. Any packets which are dropped in between the two successfully transmitted packets are ignored.

s_in_llq_recommended_delay: The default delay that can be entered into the Add Low Latency QoS Class Properties window in order to achieve a minimal number of dropped bytes.

LLQ Drop Log - Example

Product	Type	Information
QoS	log	s_in_llq_drops:3000 s_in_llq_avg_xmit_delay: 900 s_in_llq_max_delay: 1351 s_in_llq_xmit_jitter: 1351 s_in_llq_recommended_delay:2000

Product

Type

Information

QoS

log

s_in_llq_drops:3000

s_in_llq_avg_xmit_delay: 900

s_in_llq_max_delay: 1351

s_in_llq_xmit_jitter: 1351

s_in_llq_recommended_delay:2000

In the above example relevant data was observed only on the Server-In interface direction, therefore only Server-In counters are available.

Note -. There are several reasons why logging might not occur on a specified interface direction:

QoS might not be installed on all the interface's directions.
No packets were seen on other interface directions.
Data on other interface directions might not be significant, for instance, the values logged might be zero.

Pool Exceeded Log

A log for when the designated size of the ifdir pool is exceeded. In this example, the log shows:

An interface direction (ifdir) has a pool size of 8 fragments.
The interface name is E100B1, and the direction is outbound (outbound shown by the cube with an outward pointing arrow).

Pool Exceeded Log - Example

Product	Interface	Type	Information
QoS	E100B1	control	info:Ifdir Memory Pool Exceeded Pool_size:8

Examples of Account Statistics Logs

Logs always include the segment_time information (the time from which the information about the log was gathered) in the Information column.

The Mandatory Fields in Account Logs

Product	Type	Information
QoS	Account	segment_time 8May2002 12:24:57

Account Logs may include any or all of the above information

Note - Only significant data is logged and presented in the same log record.

General Statistics Data

These statistics include the number of bytes transmitted through QoS in any relevant interface direction. In the following example:

s_in_bytes: 5768 bytes were transmitted through QoS on the Server-In interface direction.
s_out_bytes: 154294 bytes were transmitted through QoS on the Server-Out interface direction.

General Statistics Data - Example

...	Information	...
	s_in_bytes:5768 s_out_bytes: 154294

Drop Policy Statistics Data

The number of bytes dropped from the connection in any relevant interface direction as a result of drop policy are logged. The drop policy is aimed at managing QoS packet buffers, see WFRED Weighted Flow Random Early Drop. A mechanism for managing the packet buffers of QoS. Adjusting automatically and dynamically to the network traffic situation, WFRED remains transparent to the user. (Weighted Flow Random Early Drop). This includes the total number of bytes dropped from the connection since it exceeded its allocation. In the following example:

s_out_total_drops: 3914274 bytes were dropped from the connection as a result of drop policy, on the Server-Out interface direction.
s_out_exceed_drops: Out of total number of drops (s_out_total_drops)3914274 bytes were dropped from the connection because it exceeded its allowed number of fragments, on the Server-Out interface direction.

Drop Policy Statistics Data - Example

...	Information	...
	s_out_total_drops:3914274 s_out_exceed_drops: 3914274

LLQ Statistics Data

Data items are the same as in LLQ Drop Log, but are generated from the beginning of the connection, not from the last time a log was created.